CATEGORIES
home IT Infrastructure Security

Ghastly GhostRedirector Gang Is Hijacking Windows Servers For Google SEO Tricks

by Alan VelascoFriday, September 05, 2025, 03:53 PM EDT
ghostredirector compromising windows servers hero
Security researchers at ESET have discovered a new threat actor in the constantly evolving cybersecurity space. The hacker group, dubbed GhostRedirector, has been attacking Windows servers using novel, custom tools. Apparently, this group's goal is to provide SEO fraud as-a-service that attempts to manipulate the page ranking results displayed by search engines.

The first tool, Rungan, places a backdoor on the targeted machine that allows the hackers to set up shop and continue to deploy additional malware to reestablish a foothold if Rungan itself is discovered and shut down. The other tool, Gamshen, is a malicious Internet Information Services (IIS) module that modifies the response the infected server returns to Googlebot.

GhostRedirector isn’t just using custom tooling to compromise servers, though. The group is also taking advantage of publicly known exploits such as EfsPotato and BadPotato, which gives the attackers the ability to create new user accounts with administrative privileges. These user accounts can be leveraged to deploy the tooling the group uses to commit the SEO fraud.
ghostredirector compromising windows servers body
Figure by ESET Research.

Once the hackers have established a foothold, the infected server passes along requests from the Googlebot engine crawler to a server the group controls. This command-and-control server then sends a response to the infected server, which is ultimately passed along to Googlebot. The response will contain information pointing the crawler to a third-party website instead of providing information from the legitimate site hosted on the compromised server.

Thankfully, a user visiting a website that has been affected by this campaign shouldn’t be negatively impacted. For now, GhostRedirector is only looking to compromise search engine results, not deploy malware to unsuspecting users.

The ESET researchers have already reached out to those whose Windows servers might have been hit by GhostRedirector. Hopefully these servers can be updated and have the infection removed to prevent further damage.
Tags:  Malware, Hackers, cybersecurity, windows-server, ghostredirector
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2025 Hot Hardware Inc, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment